MD Taxpayer Data Exposed Online

["Mike Cokenour" <mike () cokenour com>]

http://www.washingtontimes.com/article/20080104/METRO/73800052/1004



Taxpayer data exposed onlineJanuary 4, 2008
By Gary Emerling - A security gap on a Maryland government Web site left hundreds of Social Security numbers 
unprotected as homeowners attempted to register for a property-tax exemption this week. 

Officials said residents applying Monday for the homestead-tax credit at the Maryland Department of Assessments and 
Taxation Web site (www.dat.state.md.us) may have exposed their Social Security numbers online because the application 
system did not have a necessary security certificate to encrypt the information before it was sent out over the 
Internet. 

Robert Young, the department's associate director of assessments and taxation, said the gap briefly left the numbers 
exposed, but the information was transferred to a secure server after an application was submitted. 

"For that minute or so there ... that wasn't encrypted," Mr. Young said. "If they submitted an application, it went to 
a different section that was encrypted." 

The application system on the site went online Dec. 28 but was not accessed until Monday, after residents had received 
their assessment notices in the mail. Roughly 900 people used the system that day. 

Mr. Young said it would have been nearly impossible for anyone to access the numbers because of the brief amount of 
time they were exposed and because hackers would have had to tap into Internet transmission lines from a specific 
location. 

"Somebody would have had to been focused in on that site," Mr. Young said. "The chances of that are virtually nil." 

The Web-based tax-application system is managed by Towson University's Regional Economic Studies Institute. 

Tim Brooks, the institute's associate director in charge of software development, said a hacker would have had to be 
located right outside the home of a resident accessing the site or outside of the institute's data center at Towson to 
steal the numbers once they were sent out over the Internet. 

"While it is technically possible there was some sort of compromise, it is logistically unfeasible," Mr. Brooks said. 

Mr. Young said officials shut down the site on Monday at about 4 p.m. and added the extra protection. The site reopened 
Wednesday at about 4:15 p.m. and is now secure, he said. 

Reports of identity theft have become more common around the region and across the country in recent years. Last year, 
there were 446 security breaches resulting in the exposure of nearly 128 million records, according to the Identity 
Theft Resource Center. 

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml